About hackers, cadabra and TM
Decided to support hacker trends, and to dilute the habr with its history. In it you will not find elegant tricks, characters and exciting plot, but the story is absolutely real and reveals very interesting things. In addition, everything ended well, my conscience does not torment me, but it’s still worth writing about it until I still remember anything.
The story took place last spring and is connected with the re-design of auto-cad. If suddenly someone does not know, then this is one of the projects of TM, which is not very successful, and therefore not spoiled by the attention of its own developers. In any case, all this is not important, and we are simply transferred there, on the 15th of May 2009. A global redesign has taken place on cadabra, not only in terms of appearance, but also of a number of self-regulation mechanisms, as well as other issues. The people rushed to poke around in the interfaces, unsubscribe who they found, and who liked what. The tumult of the masses was only about the long-awaited redesign, especially since no one knew how it would be known.
Against the background of all these madnesses, I finally decided to write something in my “about myself” profile. I wrote two lines, but I realized that everything will be displayed in one. Without any ulterior motive, he entered <br />, saved it, but it worked ... The thought began to move, tried other tags - no restrictions. I decided to try JS, wrote in, and to my amazement I discovered that it also works in full!
In the new interface hung a button to send error messages, which I decided to use. He described that so and so, kind people, filonit has a parser in your profile, javascript skips all sorts. I wrote and sent, at the same time I went to check on the habr, but on the habr, of course, everything was fine filtered. With a sense of accomplishment, I almost calmed down, but caught up in an instant messenger with an old acquaintance, who is also a developer.
')
He described the situation to him, laughed, and yes ... and now the thought went to work for two. He quickly realized JS, which sent cookies to get, and I portrayed a script on the server, which dumps all requests to the log. I added JS to my profile, updated the page, checked out my PHPSESSID in the logs. Then it was not very interesting, and I went for lunch. There was a complete certainty that the hole would quickly be covered, and therefore the prospects for self-indulgence in the head were drawn only in theory. Not for nothing that there is a button for mistakes hung? Be sure to respond quickly - so I thought.
Surprisingly, after dinner the hole continued to gape, and some people even went into my profile, leaving their session ID. I opened the browser, changed my ID to sent - voila, as expected, I became a different user! It was a delight! Naturally, I did not think of deleting posts or writing nasty things from someone else’s name, everything was interesting only from the point of view of an experiment that clearly worked! The first, the last and the only thing that I did was to write the same script into their profiles too.
Well, then you can imagine how it looked. Each new visitor of the captured profile replenished not only the base of logins, under which I could walk around the site, but also expanded the area of ​​interception of identifiers. The first success happened when I got access on behalf of AVP - this is such an old-timer site, close to the developers. On his account there were several thousand (or still hundreds?) Posts, and a huge archive of personal correspondence, including with developers, which I considered reading below my dignity. In any case, the vulnerability no longer looked so innocent.
But luck knocked again - I got the account of one of the developers! Alas, I do not remember the nickname, but what's the difference? I replaced the red Ferrari in his garage with something like a light green Zaporozhets, then several other people also added typewriters: pink bentley and white maybachs. The site has posts that, they say, the garage is buggy, incomprehensible cars appear. And at that moment my mood was simply nowhere to improve; for several hours I felt at the top of the world. It continued to embarrass unless the lack of response from the developers.
However, to the credit of TM, one must admit that it was impossible to change mail and / or password. The danger was purely at the access level: it was possible to erase all the author's posts, write nasty things on his behalf to someone in PM, comment on something. Not to say that it is very irreparable, but it was possible to spoil the nerves even so.
When one of the developers politely asked for the next post about errors to use a special mold, I could not resist to snag on this topic using the access of another developer. To this point, I, frankly, the situation has become annoying. It seems not to be “horns and hooves”, the hole is clearly not exclusive, you write them in a special form - and no reaction! All that was left to do to take over theworld resource was to write an innocent post that would make everyone go to someone’s profile. In fact, nothing complicated! “I have a traffic light in my blue profile, only I have such a glitch?” - and a lot of people would rush to the link, leaving their identifiers there!
Write on the main page that yes, how could I not, who didn’t anyone get ahead of the unfortunate patrons? I had to write a post on behalf of the developer that there was nothing left before the capture of the cadabra, and the administration was drying waffles instead of reacting to error messages. Of course, a few minutes after the publication, the cadabra was closed for maintenance work, and after some time it was opened and the profile scripting did not take place.
* * *
From the history you can make a bunch of conclusions, and I suggest everyone to do it personally.
I take this opportunity to say hello to TM.
Thank you all for your attention!
The story took place last spring and is connected with the re-design of auto-cad. If suddenly someone does not know, then this is one of the projects of TM, which is not very successful, and therefore not spoiled by the attention of its own developers. In any case, all this is not important, and we are simply transferred there, on the 15th of May 2009. A global redesign has taken place on cadabra, not only in terms of appearance, but also of a number of self-regulation mechanisms, as well as other issues. The people rushed to poke around in the interfaces, unsubscribe who they found, and who liked what. The tumult of the masses was only about the long-awaited redesign, especially since no one knew how it would be known.
Against the background of all these madnesses, I finally decided to write something in my “about myself” profile. I wrote two lines, but I realized that everything will be displayed in one. Without any ulterior motive, he entered <br />, saved it, but it worked ... The thought began to move, tried other tags - no restrictions. I decided to try JS, wrote in, and to my amazement I discovered that it also works in full!
In the new interface hung a button to send error messages, which I decided to use. He described that so and so, kind people, filonit has a parser in your profile, javascript skips all sorts. I wrote and sent, at the same time I went to check on the habr, but on the habr, of course, everything was fine filtered. With a sense of accomplishment, I almost calmed down, but caught up in an instant messenger with an old acquaintance, who is also a developer.
')
He described the situation to him, laughed, and yes ... and now the thought went to work for two. He quickly realized JS, which sent cookies to get, and I portrayed a script on the server, which dumps all requests to the log. I added JS to my profile, updated the page, checked out my PHPSESSID in the logs. Then it was not very interesting, and I went for lunch. There was a complete certainty that the hole would quickly be covered, and therefore the prospects for self-indulgence in the head were drawn only in theory. Not for nothing that there is a button for mistakes hung? Be sure to respond quickly - so I thought.
Surprisingly, after dinner the hole continued to gape, and some people even went into my profile, leaving their session ID. I opened the browser, changed my ID to sent - voila, as expected, I became a different user! It was a delight! Naturally, I did not think of deleting posts or writing nasty things from someone else’s name, everything was interesting only from the point of view of an experiment that clearly worked! The first, the last and the only thing that I did was to write the same script into their profiles too.
Well, then you can imagine how it looked. Each new visitor of the captured profile replenished not only the base of logins, under which I could walk around the site, but also expanded the area of ​​interception of identifiers. The first success happened when I got access on behalf of AVP - this is such an old-timer site, close to the developers. On his account there were several thousand (or still hundreds?) Posts, and a huge archive of personal correspondence, including with developers, which I considered reading below my dignity. In any case, the vulnerability no longer looked so innocent.
But luck knocked again - I got the account of one of the developers! Alas, I do not remember the nickname, but what's the difference? I replaced the red Ferrari in his garage with something like a light green Zaporozhets, then several other people also added typewriters: pink bentley and white maybachs. The site has posts that, they say, the garage is buggy, incomprehensible cars appear. And at that moment my mood was simply nowhere to improve; for several hours I felt at the top of the world. It continued to embarrass unless the lack of response from the developers.
However, to the credit of TM, one must admit that it was impossible to change mail and / or password. The danger was purely at the access level: it was possible to erase all the author's posts, write nasty things on his behalf to someone in PM, comment on something. Not to say that it is very irreparable, but it was possible to spoil the nerves even so.
When one of the developers politely asked for the next post about errors to use a special mold, I could not resist to snag on this topic using the access of another developer. To this point, I, frankly, the situation has become annoying. It seems not to be “horns and hooves”, the hole is clearly not exclusive, you write them in a special form - and no reaction! All that was left to do to take over the
Write on the main page that yes, how could I not, who didn’t anyone get ahead of the unfortunate patrons? I had to write a post on behalf of the developer that there was nothing left before the capture of the cadabra, and the administration was drying waffles instead of reacting to error messages. Of course, a few minutes after the publication, the cadabra was closed for maintenance work, and after some time it was opened and the profile scripting did not take place.
* * *
From the history you can make a bunch of conclusions, and I suggest everyone to do it personally.
I take this opportunity to say hello to TM.
Thank you all for your attention!
Source: https://habr.com/ru/post/86939/
All Articles